Prelude is an Hybrid IDS framework, that is, it is a product that enable all available security application, be it opensource or proprietary, to report to a centralized system. In order to achieve this task, Prelude relies on the IDMEF (Intrusion Detection Message Exchange Format) IETF standard RFC 4765, that enables different kinds of sensors to generate events using an unified language.
Prelude benefits from its ability to find traces of malicious activity from different sensors (Snort, honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) in order to better verify an attack and in the end to perform automatic correlation between the various events.
Prelude is committed to providing an Hybrid IDS that offers the ability to unify currently available tools into one, powerful, and distributed application.
Advantages are:
- Events centralization : no need to look at 10 different places to have information
- Standards : all events are logged in IDMEF format : how can other systems pretend to do correlation, when events cannot be compared ?
- Extensibility : it is very easy to add a new rule for LML to parse logs, or even to send / receive events using libprelude
- Scalability : the distributed architecture allows to add new elements easily
- Security : events are not sent in clear to the manager. Also, sensors are identified, using certificates. Additionally, have you ever heard of a vulnerability in Prelude IDS ?
- Robustness : if there is a network failure or if the manager is down, or even the database, a mechanism similar to SMTP is applied to ensure that events are not lost (with check to ensure you can't fill the disk, for ex)
- Cooperates with other applications : Prelude is not yet another IDS aiming to replace your current installation. On the contrary, it will use events from your applications.
- Scripting prelude with Perl (to send OcsInventory alerts to prelude in IDMEF format)
- Howto install (a recent version of) Prelude on Etch using Debian Packages
- Reverse Relaying
- Various tips : clean up old alerts, etc.
- Installation Snort with Prelude output plugin
I'm also working on:
- high-level bindings (Perl and Python) for the prelude library: PreludeEasy
- a graphical editor for LML rules : LMLEdit
Debian packages for sid (unstable) are sent to main, so you should be able to get them using apt-get install prelude-lml, for ex. People wanting to use the most recent packages can use http://packages.inl.fr/stable/ as a source for debian/stable. To use it, just add the following line to yout /etc/apt/sources.list file:
deb http://packages.inl.fr stable/
For a complete installation guide on a Debian system, see Howto install (a recent version of) Prelude on Etch using Debian Packages.
I'm maintaining some backports for etch (using a buildd). If some people are willing to maintain packages for Ubuntu, Mandriva or other distributions, just contact me so we can share some work.
Other links:
- A http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/index.html nice presentation of Hybrid IDS, Prelude and IDMEF
- A short presentation, in french, given at SSTIC 2007
